1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003
Dec 23, 2015
1
Information Systems 7/1/03Tom Coppeto
MIT Mail System
Security Issues
1 July 2003
2
Information Systems 7/1/03Tom Coppeto
Agenda
• Introduction to the mail system
• Authentication
• Virus Filtering
3
Information Systems 7/1/03Tom Coppeto
The Mail System
Mailhub
Internet
MIT Users
DMZ(MX mit.edu)
Outgoing
Post Office
Other MITMailers
4
Information Systems 7/1/03Tom Coppeto
The Mail System Acronymified
MTA
InternetMTA
MUA/MSAMAA
MTA
MTA
MTA/MDA
Other MITMTA
MUA: MAIL USER AGENTMSA: MAIL SUBMISSION AGENTMTA: MAIL TRANSFER AGENTMDA: MAIL DELIVERY AGENTMAA: MAIL ACCESS AGENT
5
Information Systems 7/1/03Tom Coppeto
SMTP Authentication
• MIT mail relays abused by spammers• Outgoing is a quasi-open relay• Need to further tighten outgoing to stop
this• The answer is SMTP authentication
• Only authorized users should be allowed to be an MSA and all MTA’s should not permit open relaying
6
Information Systems 7/1/03Tom Coppeto
SMTP Authentication (2)
• Benefits:– Reduction in mail abuse– Protected transfer of email messages– Gets around ISP’s who filter normal smtp traffic
• Costs:– Additional complexity in configuration
• Though not much– Older applications will need updating– System->system mail will require more work
7
Information Systems 7/1/03Tom Coppeto
SMTP Authentication (3)
• Secure transport (encryption)
• Authentication
8
Information Systems 7/1/03Tom Coppeto
SMTP Secure Transport
• The great thing about standards is that there are so many to choose from
• SMTPS– Tunnels SMTP within secure transport (SSL)– Supported by some clients such as outlook,
entourage and Apple Mail• SMTP/TLS
– RFC 3207– Negotiates secure transport within SMTP (port
25)– Supported by some clients such as eudora 5.1
and Apple Mail• The moral of the story is switch to a mac
9
Information Systems 7/1/03Tom Coppeto
Ports For Every Harbor
• SMTP (25)– Traditional standard for mail transport and submission– IETF standards include STARTTLS
• SMTPS (465)– Intended for SMTP over SSL– Revoked by the IETF– Some apps still use this
• SMTP/TLS (587)– “submission” (MSA) port– Deprecated in favor of 25
• ISP’s block 25 so this doesn’t solve the roaming problem and ISP’s don’t allow you to maintain your own identity
• “It may be that the SMTP transport will self-destruct by failing to provide connectivity sufficient to be useful”– Bob Frankston
10
Information Systems 7/1/03Tom Coppeto
Our Goals
• Secure transport for all MSA transactions• Require authentication• Support popular applications such as
– Outlook – Eudora– Entourage– Apple Mail– Netscape
• MIT users to be able to roam about Interland without:– Loss of identity– Difficult reconfiguration– Special network setups
11
Information Systems 7/1/03Tom Coppeto
Our Solution
• Support SMTPS on 465– This may whither away
• Support STARTTLS on 587– STARTTLS is a current standard– 587, although deprecated, is in
widespread use as the MSA port– We won’t permit STARTTLS to negotiate
insecure connections• Deprecate port 25
12
Information Systems 7/1/03Tom Coppeto
Future Issues
• This area is a mess– Applications vary– Spammers & witch hunts for open relays– Changing standards– ISP filtering
• May get more sophisticated than a simple port filter
– ISP not interested in you being able to easily switch providers
• We’ll see one of two things:– New protocols & ports– Greater dependence on web solutions
13
Information Systems 7/1/03Tom Coppeto
SMTP Authentication
• The MIT MSA supports Kerberos V5 for user authentication– A username/password may be tunneled within
SSL and checked with the KDC– A Kerberos credential may be presented
• GSSAPI• Only Eudora supports this
– Not supporting certificates at this time
• The recommendation is to make the authentication method symmetric between mail download (imap) and mail submission
14
Information Systems 7/1/03Tom Coppeto
SMTP Authentication: Messages
Received: from mit.edu (vw.mit.edu [18.18.18.18])(authenticated bits=0) (User authenticated as [email protected]) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5UFAwaT002423 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for <[email protected]>; Mon, 30 Jun 2003 11:10:58 -0400 (EDT)
15
Information Systems 7/1/03Tom Coppeto
SMTP Auth Configuration Example
• Apple Mail
16
Information Systems 7/1/03Tom Coppeto
SMTP Auth Configuration Example
• Eudora
17
Information Systems 7/1/03Tom Coppeto
Other Challenges
• Outgoing supports email addressed from *.mit.edu rather than mit.edu– Many alumni are using this to keep their
@alum.mit.edu identity– We’ll have to do something here which may bring us
back to the alum.mit.edu vs. mit.edu issue• MTA’s masquerading as MSA’s
– They should stop doing that• Use of sendmail as an MSA
– Where possible, users should use apps with a built-in MSA (as opposed to mh->sendmail)
– Where possible, the MTA should be running on the client machine (eg. sendmail does direct delivery)
– possible certificate based solution for the rest
18
Information Systems 7/1/03Tom Coppeto
SMTP Authentication: Next Steps
• Solidify recommended configurations for known applications
• Modify configurations to use a flavor of smtp authentication by default
• Make this the recommended solution for existing users– Now we have an answer for ISP
problems• Campaign to have MIT users upgraded by
July 1, 2004
19
Information Systems 7/1/03Tom Coppeto
Viruses
• We are filtering several known viruses at the border– Looking for identifying signatures– CPU intensive
• Then came bugbear– No consistent signature to filter– Extension filtering (.scr, .pif, .exe)
remain most effective known measure although we are being a bit more precise than this for now
20
Information Systems 7/1/03Tom Coppeto
Where Do We End Up?
• Content filtering for viruses has proven less effective
• The only measure we have left is to prevent the delivery of all executable programs
• We can be proactive in getting the word out• Or, we can wait until a more advanced
version of bugbear is released when we’ll be forced to implement this anyway
• Let’s get the word out
21
Information Systems 7/1/03Tom Coppeto
Conclusions
• Authentication is good
• Viruses are bad
any questions?